e-Authentication for Business

Is e-Authentication required for my business?

The Internet has revolutionised the mode of delivery of information and services. Provision of online business functions is now a prerequisite for a company to stay competitive. To automate core business processes, businesses have to give their users, including customers, suppliers and employees, access to corporate information and applications anytime / anywhere.

To prevent unauthorised users from gaining access to protected resources, secure authentication systems are required to ensure that users are who they claim to be.

What are the processes involved?

e-Authentication is an important element in the establishment of trust on electronic transactions. Two major processes are involved:

1. Enrolment Process

The enrolment process normally consists of two major components, namely Enrolment and Revocation.

Enrolment is

to ensure that the claimed identity actually exists;

to ensure that the applicant is who he/she claims to be;

to ensure that the information associated with the identity are consistent, accurate and recorded properly; and

to issue a credential or record details of an existing credential.

Revocation is

to withdraw and where necessary replace credentials in case of the holder’s death, resignation or dismissal, change of name, cessation of trading or other significant change of circumstances;

to withdraw and replace stolen/compromised credentials;

to suspend credentials where there is suspicion of compromise, theft or significant change of circumstances; and

to withdraw credentials at the client’s request.

2. Authentication Process

Authentication is the process to identify and prove the identity of a user/party who attempts to send messages or access data. The objective is

to check that the credential is valid for the transaction in question; and

to check that the credential presented has not expired, been revoked or withdrawn.

What are the common threats?

Enrolment

Broadly speaking, there are three types of attacks in the enrolment process:

Impersonation
The attacker obtains a credential in another person’s name, where the subject person can be targeted or untargeted.

Fictitious Subscriber
The attacker claims the identity of a non-existent person with the goal of creating a subscriber relationship.

Rogue Enrolment Entity
An internal abuse of a trusted position to create or obtain credentials as a potential subscriber or a non-existent person.

Authentication

There are also four main sources of threats in the authentication process:

Eavesdropper / Replay Attack
An eavesdropper will observe the run of authentication data (across the network) for later analysis or interception of messages between the genuine parties. This eavesdropper then makes an improper attempt to obtain tokens to pose as the rightful user. This is often employed with the replay attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.

Password Guessing
The most common way a hacker will try to get your password is a dictionary attack. In a dictionary attack, the attacker takes a dictionary of words and names, and tries each one to see if it is your password. They do this with programs, which can guess hundreds or thousands of words per second.

Verifier Impersonation
The attacker impersonates the verifier and induces the claimant to reveal his/her secret token.

Hijacker
The attacker takes over an already authenticated session and then poses himself/herself as the genuine subscriber or IT system to obtain sensitive information or to input/output invalid information.

Other Sources of Threats

Other than the enrolment and authentication processes, some security attacks may also lead to threats in e-Authentication.

Phishing / Bogus Website
The attacker uses fake email messages that appear to come from a legitimate organisation and asks the victim to provide sensitive information such as account ID, password, etc. or provides a link to a fraudulent website for the victim to enter sensitive information.

Hacking
The attacker exploits vulnerabilities of computer systems to gain access to and steal information of sensitive personal data, passwords, etc. for further attacks such as impersonation or taking control of accounts.

Cross-site Scripting
The hacker installs malicious codes or scripts on a legitimate website such that when the victim visits the site, the malicious scripts will be executed to steal sensitive information or redirect the victim to another fraudulent website with a similar look to the legitimate site.